SecurityProNewshttp://www.securitypronews.com
Internet Security NewsMon, 02 Feb 2015 15:06:13 +0000en-UShourly1http://wordpress.org/?v=4.1.1The Best Form of Web Application Security Scanshttp://www.securitypronews.com/best-form-web-application-security-scans-2015-02
http://www.securitypronews.com/best-form-web-application-security-scans-2015-02#commentsMon, 02 Feb 2015 15:06:13 +0000http://www.securitypronews.com/?p=5265Automatic versus manual. A heavily debated subject whatever you speak of, and it is no different in the web application security industry. Should you do a manual penetration test or automatically scan all your websites with an automated web application …Read More ...

]]>Automatic versus manual. A heavily debated subject whatever you speak of, and it is no different in the web application security industry. Should you do a manual penetration test or automatically scan all your websites with an automated web application security scanner? With which process you would find most vulnerabilities and which one has the best return on investment?

In reality you need a bit of both. Actually, with today’s complex web application you cannot do without automation. By automating the majority of a penetration test, i.e. scan your website with a web vulnerability scanner you ensure that the security audits are more accurate, detect more vulnerabilities and save time. And when you save time you keep costs lows and have enough time to finalize the penetration test with a manual check for logical vulnerabilities.

In this article I will walk you through the different stages of a web application penetration test which help in highlighting the fact that automation is a must in web application security.

Web Application Coverage – Identifying the Attack Surface

The first thing you do before auditing the security of a website is find all the possible attack surfaces, or as they are also called possible point of entries. Attack surfaces can be input fields such as those found in contact forms, shopping carts and login forms, parameters in the URL and also hidden parameters in the code. Now let’s keep in mind that a typical medium sized modern web application can have hundreds or even thousands of such inputs and many of which are very difficult to identify.

An automated web application security scanner such as Netsparker has a crawler component which is specifically built for this purpose; to crawl the web application and identify all possible attack surfaces so they can be checked if they are vulnerable to cross-site scripting, SQL injectionand other type of web application vulnerabilities and security issues. Typically the scanner crawls such a website in less than an hour and automatically identifies all attack surfaces. Would you do this manually? In theory yes you can. In practise? Definitely not! It would take days, even weeks for a seasoned penetration tester to accomplish such a task, not to mention the high chances of missing input fields.

It is very important to identify all possible attack surfaces, else not all can be tested. And a malicious attacker only needs to find one vulnerable input field to hack a web application.

Identifying Vulnerabilities and Security Flaws in a Timely Manner

During an automated web application security scan each possible attack surface is checked for hundreds of different vulnerabilities within a few hours. The same as with the crawling, it is impossible to do such task manually.

A typical modern and small web application can contain at least 100 possible attack surfaces. If it takes a security professional at least a minute to complete each test (and he needs to be really good and quick to do it that fast) it will still take him around 83 working hours to test each input parameter for at least 50 different vulnerability variants. That is roughly 10 man days of checking for routine things. This is an unsustainable amount of time, and task.

Identifying More Web Application Vulnerabilities

If a web application is audited manually, the security audit is limited to the knowledge of the penetration tester. On the other hand, a heuristic web application security scanner has a vast list of web application vulnerabilities and security checks that is backed by a whole team of security engineers and researchers that regularly update it to include new attack vectors, bypasses and security checks.

Identifying Low Hanging Fruit Vulnerabilities

Many security professionals claim that automated tools will only identify low hanging fruit and technical vulnerabilities. True, but history has showed us that the majority of successful web application attacks exploited a technical vulnerability such as an SQL Injection or Cross-site Scripting. Very rarely attackers exploited logical vulnerabilities.

This does not mean you should ignore logical vulnerabilities, but you should automate the repetitive and use the saved up time to identify logical vulnerabilities. If you try to do both manually you will not manage to keep up with the development of the web application and the myriad of new attack variants.

Identifying Logical Vulnerabilities

There are two types of web application vulnerabilities, logical and technical vulnerabilities. Technical vulnerabilities are vulnerabilities in the code which can be identified by automated tools, such as the popular SQL Injection and Cross-site Scripting vulnerabilities. Logical vulnerabilities are vulnerabilities in the logic of the web application and not the code, hence only a person who is familiar with the scope of the web application can identify such vulnerabilities.

What is a Logical Vulnerability?

An advertising agency launches a promotion that gives away $100 to anyone who buys $100 worth of adverts. Though even when users buy less than $100 worth of advertising, the web application still gives away the free $100. Even though this is not a vulnerability in the code of the web application this is still a vulnerability which attackers can abuse.

Scanning Many Web Applications and Keeping Them Secure

The problem of identifying vulnerabilities and security flaws in web applications can get really worse when you have tens or even hundreds of web applications. In such cases it is not viable nor practical to do manual penetration tests. How can you quickly identify all the vulnerable web applications in case of a vulnerability outbreak, such as heartbleed? A desktop based web application security scanner will not scale up and do the job. Instead you should look into an online web application security scanner, which is purposely built to scale up and has the necessary tools to allow teams to collaborate and ensure all vulnerabilities are remediated before they are exploited by malicious hackers.

Web Application Security Convenience

Nowadays businesses heavily depend on web applications. New functionality is frequently being added to web applications to keep up with the business requirements. Every change that is applied should be tested prior to being implemented on the live servers. If you have an easy to use web application security scanner your own employees can scan the new web application changes and remediate any vulnerabilities the scanner reports prior to it being used in a live environment, without slowing down the deployment process.

You Need Automated Web Security Tools to Complete the Job

The benefits of automated tools can be many when it comes to web application security. Apart from saving time and ensuring accurate penetration tests, you can also save on budget too. If you use an easy to use and false positive free web application security scanner your own QA and testing teams can do the vulnerability scans, even if they are not web security experts. Since the scanner’s results are accurate they do not have to verify its findings so no training is required.

Emulate Malicious Hackers – Hack Your Website

Malicious hackers do not have access to the web applications’ code therefore they use automated black box scanners to scan websites in the hope of identifying vulnerabilities. Unfortunately most of the time they do identify vulnerabilities. As a matter of fact many internet security and monitoring organizations claim that at least a website is hacked every five seconds.

Therefore by emulating malicious hackers and using a web application security scanner to identify web application vulnerabilities in your websites and web applications is the best way to go about it. There is definitely no better way to secure your web applications.

Web Application Security Done Right

To recap it all, It is humanly impossible and unsustainable to manually audit a modern web application and check if it is vulnerable for every type of known and unknown vulnerability without making a mistake or within a respectable time frame. At the same time it is impossible for an automated tool to find all vulnerabilities. A perfect example is the OWASP Top 10 list. As explained in An Automated Scanner That Finds All OWASP Top 10 Security Flaws you have to do both automated scans and manual audits to identify all the vulnerabilities listed in the OWASP Top 10. Therefore even if you are thinking of hiring a penetration tester rather than doing the job yourself, If they do not use automated web security tools I recommend you to look somewhere else.

In web application security automated tools should not and will not replace the human factor, but the human alone cannot do a good job without using automated web security tools.

]]>http://www.securitypronews.com/best-form-web-application-security-scans-2015-02/feed0Cisco Announces Intentions to Purchase Neophasishttp://www.securitypronews.com/cisco-announces-intentions-purchase-neophasis-2014-12
http://www.securitypronews.com/cisco-announces-intentions-purchase-neophasis-2014-12#commentsThu, 11 Dec 2014 14:36:34 +0000http://www.securitypronews.com/?p=5261Cisco announced that it intends to acquire Neohapsis, a company which offers network, cloud, and app security, as well as IT risk and compliance services. Cisco says it will use the acquisition to help customers build security capabilities and overcome …Read More ...

]]>Cisco announced that it intends to acquire Neohapsis, a company which offers network, cloud, and app security, as well as IT risk and compliance services.

Cisco says it will use the acquisition to help customers build security capabilities and overcome operational and technical vulnerabilities, as well as “achieve a comprehensive view of their risks, take advantage of new business models, and define structured approaches for better protection.”

As our clients and friends in the industry know, Neohapsis has been a key player in the security, risk and compliance market. Today, we are excited to announce plans to join Cisco, who we believe will be the perfect strategic match for us, given our services and research mission.

We share with Cisco a global enterprise customer base, and a commitment to help our customers address their most challenging threats, especially in the rapidly evolving mobile and cloud arenas. Because of Neohapsis’ and Cisco’s shared focus on the Internet of Everything, the opportunity to do groundbreaking work together is enormous. Together, what we bring to enterprise customers, IoT device manufacturers, and associated service providers will be unique in the market.

“Today, businesses are looking at security in a strategic, comprehensive way to protect mission critical processes and assets,” said Hilton Romanski, who leads corporate development at Cisco. “There has never been a greater need to understand the impact that security threats can have on a company’s bottom line. For these reasons, experienced security advice is now among the table stakes required to assess and address the threat landscape that faces enterprises today. The skills and capabilities companies need to maintain a strong security posture, keep pace with rapidly evolving threats and take full advantage of new technologies that can protect their businesses are rare and difficult to retain. The right advisory service can change all of that.”

The Chicago-based Neohapsis team will join Cisco’s Security Services organization led by SVP and GM Bryan Palma. Cisco expects the deal to close in the second quarter of fiscal year 2015. Terms weren’t disclosed.

]]>http://www.securitypronews.com/cisco-announces-intentions-purchase-neophasis-2014-12/feed0Messaging Apps Are Terribly Insecurehttp://www.securitypronews.com/messaging-apps-terribly-insecure-2014-11
http://www.securitypronews.com/messaging-apps-terribly-insecure-2014-11#commentsThu, 13 Nov 2014 14:52:04 +0000http://www.securitypronews.com/?p=5258It’s likely that every single day, you use a messaging app to communicate with friends and family. It’s also likely that the messaging app you’re using is unequipped to protect your privacy. The Electronic Frontier Foundation (EFF) has just released …Read More ...

]]>It’s likely that every single day, you use a messaging app to communicate with friends and family. It’s also likely that the messaging app you’re using is unequipped to protect your privacy.

The Electronic Frontier Foundation (EFF) has just released a scorecard featuring 39 messaging apps ranging in popularity from the relatively small Silent Phone and CryptoCat to the ubiquitous iMessage and Facebook Messenger. The scorecard measures the security of each app using seven different criteria.

That includes the questions … Is your communication encrypted in transit? Is your communication encrypted with a key the provider doesn’t have access to? Can you independently verify your correspondent’s identity? Are past communications secure if your keys are stolen? Is the code open to independent review? Is the crypto design well-documented? and Has there been an independent security audit?

“The revelations from Edward Snowden confirm that governments are spying on our digital lives, devouring all communications that aren’t protected by encryption,” said EFF Technology Projects Director Peter Eckersley. “Many new tools claim to protect you, but don’t include critical features like end-to-end encryption or secure deletion. This scorecard gives you the facts you need to choose the right technology to send your message.”

Out of the most popular apps to be rated, Apple’s iMessage and FaceTime had the best security score (five out of seven).

Services like AIM, Blackberry Messenger, Secret, and Yahoo Messenger were only able to garner one check mark – for messages being encrypted in transit.

Popular apps like WhatsApp, Snapchat, Skype, and Facebook Messenger only grabbed two checks.

“We’re focused on improving the tools that everyday users need to communicate with friends, family members, and colleagues,” said EFF Staff Attorney Nate Cardozo. “We hope the Secure Messaging Scorecard will start a race-to-the-top, spurring innovation in stronger and more usable cryptography.”

Eckersley told Ars Technica that even a perfect score on the EFF’s security scorecard did mean the apps are 100 percent recommended.

“Getting a perfect score here is more the first step than final victory. We still need usability studies, metadata protection, independently commissioned audits, and other measures of security before we try to get the whole network to switch to one of these options,” he said.

He went on to say that “good cryptographic design should not cause significant inconvenience.”

]]>http://www.securitypronews.com/messaging-apps-terribly-insecure-2014-11/feed0Dropbox Says They Haven’t Been Hackedhttp://www.securitypronews.com/dropbox-says-havent-hacked-2014-10
http://www.securitypronews.com/dropbox-says-havent-hacked-2014-10#commentsThu, 16 Oct 2014 13:53:08 +0000http://www.securitypronews.com/?p=5255According to reports, hundreds of Dropbox usernames and passwords were leaked online as a preview to a larger alleged leak of 7 million accounts. As The Next Web reports, a thread appeared on reddit pointing to files with the leaked …Read More ...

]]>According to reports, hundreds of Dropbox usernames and passwords were leaked online as a preview to a larger alleged leak of 7 million accounts.

As The Next Web reports, a thread appeared on reddit pointing to files with the leaked account details, saying, “Here is another batch of Hacked Dropbox accounts from the massive hack of 7,000,000 accounts. To see plenty more, just search on [redacted] for the term Dropbox hack. More to come, keep showing your support.”

According to Dropbox, it hasn’t been hacked, and any such account details have been obtained from third-party services. The company addressed the situation on its blog, saying that it wasn’t hacked:

Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.

Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services. For an added layer of security, we always recommend enabling 2 step verification on your account.

In a update to the post, it added:

A subsequent list of usernames and passwords has been posted online. We’ve checked and these are not associated with Dropbox accounts.

Long story short, it’s probably a good time to reset your passwords across the various online services you use, and to make them all different this time.

]]>http://www.securitypronews.com/dropbox-says-havent-hacked-2014-10/feed0‘Shellshock’ Bug Scaring Experts as Much as Bash Heartbleedhttp://www.securitypronews.com/shellshock-bug-scaring-experts-much-bash-heartbleed-2014-09
http://www.securitypronews.com/shellshock-bug-scaring-experts-much-bash-heartbleed-2014-09#commentsFri, 26 Sep 2014 13:18:51 +0000http://www.securitypronews.com/?p=5251It feels like major security vulnerabilities are more common than ever, and there’s a big one freaking out the blogosphere being referred to as “shellshock”. It was discovered by a Red Hat security team in the Bash shell. Security expert …Read More ...

]]>It feels like major security vulnerabilities are more common than ever, and there’s a big one freaking out the blogosphere being referred to as “shellshock”. It was discovered by a Red Hat security team in the Bash shell.

Security expert Robert Graham at Errata Security has been blogging about the bug saying that it is “as big as Heartbleed,” and also that it’s twenty years old. He says it’s as big a deal as Heartbleed because it interacts with other software in unexpected ways, and that unknown systems remain unpatched. He writes:

We see that with the Heartbleed bug: six months later, hundreds of thousands of systems remain vulnerable. These systems are rarely things like webservers, but are more often things like Internet-enabled cameras.

Internet-of-things devices like video cameras are especially vulnerable because a lot of their software is built from web-enabled bash scripts. Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world.

Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won’t be, is much larger than Heartbleed.

I’d suggest keeping up with his blog for analysis on the issue, as it appears to be the go-to spot at this point.

]]>http://www.securitypronews.com/shellshock-bug-scaring-experts-much-bash-heartbleed-2014-09/feed0Study Suggests a Large Majority of Mobile Apps Fail Basic Security Testshttp://www.securitypronews.com/study-suggests-a-large-majority-of-mobile-apps-fail-basic-security-tests-2014-09
http://www.securitypronews.com/study-suggests-a-large-majority-of-mobile-apps-fail-basic-security-tests-2014-09#commentsThu, 18 Sep 2014 13:24:44 +0000http://www.securitypronews.com/?p=5247In general, we shouldn’t consider mobile apps particularly secure for the foreseeable future. That is if Gartner is correct in its latest analysis. The firm said this week that over 75% of mobile apps will fail basic security tests through …Read More ...

]]>In general, we shouldn’t consider mobile apps particularly secure for the foreseeable future. That is if Gartner is correct in its latest analysis.

The firm said this week that over 75% of mobile apps will fail basic security tests through 2015. This is not particularly comforting for businesses.

Gartner notes that enterprise employees download from app stores, and use mobile apps that can access enterprise assets or perform business functions, and that the apps have “little to no security assurances”.

“Enterprises that embrace mobile computing and bring your own device (BYOD) strategies are vulnerable to security breaches unless they adopt methods and technologies for mobile application security testing and risk assurance,” said Dionisio Zumerle, principal research analyst at Gartner. “Most enterprises are inexperienced in mobile application security. Even when application security testing is undertaken, it is often done casually by developers who are mostly concerned with the functionality of applications, not their security.”

“Today, more than 90 percent of enterprises use third-party commercial applications for their mobile BYOD strategies, and this is where current major application security testing efforts should be applied,” said Zumerle. “App stores are filled with applications that mostly prove their advertised usefulness. Nevertheless, enterprises and individuals should not use them without paying attention to their security. They should download and use only those applications that have successfully passed security tests conducted by specialized application security testing vendors.”

Gartner looks even further into the future, and says that by 2017, the focus of endpoint breaches will shift to tablets and smartphones. Through that year, it predicts, over 75% of mobile security breaches will be the result of mobile app misconfigurations as opposed to “deeply technical” attacks.

]]>http://www.securitypronews.com/study-suggests-a-large-majority-of-mobile-apps-fail-basic-security-tests-2014-09/feed0Gmail Promises Security Precautions Regarding Non-Latin Character Supporthttp://www.securitypronews.com/gmail-promises-security-precautions-regarding-non-latin-character-support-2014-08
http://www.securitypronews.com/gmail-promises-security-precautions-regarding-non-latin-character-support-2014-08#commentsThu, 28 Aug 2014 13:46:53 +0000http://www.securitypronews.com/?p=5239Last week, Google announced that it started recognizing non-Latin characters in email addresses, opening up the ability for users to send and receive emails in more languages. By doing this, however, they were potentially opening the door to more spam …Read More ...

]]>Last week, Google announced that it started recognizing non-Latin characters in email addresses, opening up the ability for users to send and receive emails in more languages. By doing this, however, they were potentially opening the door to more spam slipping through the cracks courtesy of bad actors using sneak character combinations.

Google isn’t letting this happen though. The company announced in a blog post that they have taken measures to prevent this type of thing. Mark Risher of the Spam & Abuse Team writes:

Scammers can exploit the fact that ဝ, ૦, and ο look nearly identical to the letter o, and by mixing and matching them, they can hoodwink unsuspecting victims. Can you imagine the risk of clicking “ShဝppingSite” vs. “ShoppingSite” or “MyBank” vs. “MyBɑnk”?

To stay one step ahead of spammers, the Unicode community has identified suspicious combinations of letters that could be misleading, and Gmail will now begin rejecting email with such combinations. We’re using an open standard—the Unicode Consortium’s “Highly Restricted” designation—which we believe strikes a healthy balance between legitimate uses of these new domains and those likely to be abused.

These changes began rolling out on Tuesday. Google says it hopes others in the industry will “follow suit”.

]]>http://www.securitypronews.com/gmail-promises-security-precautions-regarding-non-latin-character-support-2014-08/feed0Security Improvements on Chrome for Windowshttp://www.securitypronews.com/security-improvements-on-chrome-for-windows-2014-06
http://www.securitypronews.com/security-improvements-on-chrome-for-windows-2014-06#commentsThu, 12 Jun 2014 15:55:25 +0000http://www.securitypronews.com/?p=5212Google announced back in November that it would start requiring all Chrome extensions to be hosted in the Chrome Web Store for its Windows stable and beta channels (starting in January). Google announced today that it is now enforcing this. Extensions will …Read More ...

]]>Google announced back in November that it would start requiring all Chrome extensions to be hosted in the Chrome Web Store for its Windows stable and beta channels (starting in January). Google announced today that it is now enforcing this.

Extensions will only be able to be installed if they’re hosted on the Chrome Web Store. Previously installed extensions may be automatically disabled, and will have to be re-installed if they become hosted on the Chrome Web Store.

“We’re constantly working to keep Chrome users safe as they browse, with built-in features like Safe Browsing, which blocks many types of malicious websites and downloads,” says Erik Kay, Engineering Director in a post on the Chrome blog. “In the case that malicious software has managed to hijack your settings, we’ve added a “reset browser settings” button, so you can get things back to normal. But since the bad guys continue to come up with new ways to cause our users headaches, we are always taking additional measures.”

“Malware can change how browsers work by silently installing extensions on your machine that do things like inject ads or track your browsing activity,” Kay adds. “If you notice strange ads, broken web pages or sluggish browsing after installing some new software or plugins, you could be affected.”

Hence the changes.

Google says it will continue to support local extension installs during development for developers as well as installs via Enterprise policy. More on that here.

Chrome users on the Windows developer channel and other operating systems are not affected by the changes.

]]>http://www.securitypronews.com/security-improvements-on-chrome-for-windows-2014-06/feed0Malware Attacks On Internet Explorer Increasinghttp://www.securitypronews.com/malware-attacks-on-internet-explorer-increasing-2014-05
http://www.securitypronews.com/malware-attacks-on-internet-explorer-increasing-2014-05#commentsThu, 15 May 2014 13:49:47 +0000http://www.securitypronews.com/?p=5197Everyone has a favorite Internet browser. If yours happens to be Internet Explorer, you may want to switch to a different one. Internet Explorer has numerous problems, but one of the worst is the current weakness in its security. Hackers …Read More ...

]]>Everyone has a favorite Internet browser. If yours happens to be Internet Explorer, you may want to switch to a different one.

Internet Explorer has numerous problems, but one of the worst is the current weakness in its security.

Hackers are taking advantage of this weakness and are creating new attacks that can put malware and viruses on your computer with just one accidental click of your mouse.

The hackers create websites that install the malware on your computer automatically. If you are using Internet Explorer and accidentally click on a wrong link that takes you to one of these websites, your computer could be infected in a matter of seconds.

Malware can slow your computer down, cause popups and use up your storage space. It can also be hard to identify and remove. In some cases, you might not notice the malware, which might not seem so bad until you realize the hackers have used it to steal your identity and access your email, social networks and other important websites.

“I’d say someone taking control of your computer is just the beginning of the worst case scenario,” said Adrian Sanabria, a security expert with 451research.com. “Because then they steal your info, get access to your email, etc.”

Some malware programs allow the hackers to access anything on your computer or Internet network. That means they can find your passwords, look up your credit card numbers and even operate your computer’s webcam to spy on you while you are using your computer or leave it on.

So what can you do to protect yourself from this type of malware?

According to the U.S. Department of Homeland Security, the best thing to do is stop using Internet Explorer completely, at least until the bug has been fixed. You can also disable your Adobe Flash plugin to prevent the malware from automatically downloading.

Microsoft is working to fix the problem but is not sure how long it could take.

]]>http://www.securitypronews.com/malware-attacks-on-internet-explorer-increasing-2014-05/feed0What’s the Real Story with The Heartbleed Security Hole?http://www.securitypronews.com/whats-the-real-story-with-the-heartbleed-security-hole-2014-04
http://www.securitypronews.com/whats-the-real-story-with-the-heartbleed-security-hole-2014-04#commentsThu, 17 Apr 2014 14:37:17 +0000http://www.securitypronews.com/?p=5194The Heartbleed bug (known as CVE-2014-0160) is a very serious bug in the openSSL library, which is the security library used to secure communications between computers for many different reasons – examples of openSSL usage include SSL certificates used one …Read More ...

]]>The Heartbleed bug (known as CVE-2014-0160) is a very serious bug in the openSSL library, which is the security library used to securecommunications between computers for many different reasons – examples of openSSL usage include SSL certificates used one webservers (the padlock which indicates an encrypted connection), TLS communications between servers and email collected or sent over secured connections using ‘secure protocols’.

This particular bug affects any server with the openSSL libraries in place, which in practice, is a very large numbers of servers – some estimates are that as many as 2/3rd of servers were vulnerable to this security flaw!

So what exactly is the bug? For the technically minded, you can get the technical explanation at Heartbleed.com – for the regular user, this means the security layer of the internet was able to be compromised. Sounds serious? Yes, it is pretty serious.

This flaw has been demonstrated to leak memory from client to server and from server to client, ie, data in the memory of the server, or the client, could be read, potentially by either party, over a connection supposedly secured by openSSL encryption. This means that secret keys used to encrypt the connection could have been leaked, as could almost anything else in memory of the server at the time of exploit. Did you get that? Anything in memory – including usernames + passwords could be leaked from a server with this vulnerability. ANYTHING.

Worse perhaps than the memory leak itself, is the fact that someone exploiting this bug leaves no trace, and there is no way to know what portion of memory could have been leaked.

Why is this bug so critical? The flawed libraries used on many servers as implemented in openSSL, span releases for the last 2 years – it is difficult to put any accurate count on the number of affected servers, but as CNN put it – “The Heartbleed security flaw affects most of the internet”.

So how should you keep yourself safe from this bug?

You need to determine if your servers (or the servers you use) are currently affected – you can use this website to check your server:

Enter the server name or IP address, followed by an SSL secured port (443 for https protocol, 995 for SSL-POP and 465 for Secure SMTP)

If your server(s) comes back as vulnerable – STOP USING THEM – do not login, do not collect email, do not use the SSL portion of the website until it is patch. The server’s openSSL libraries need to be upgraded as quickly as possible. Now that the vulnerability is public, there are bound to be malicious actors who are scanning for servers with this weakness. openSSL libraries 1.0.1 up to release 1.0.1g are potentially affected by this – but to complicate things, CentOS released a patched 1.0.1e – and servers running 1.0.1e could be safe of vulnerable (if you’re the server admin you can check using the release date of the library).

Assuming that your provider’s servers are not vulnerable does not mean that they did not patch them yesterday. Find out if the servers were patched yesterday – if they were, we recommend that every password (including database passwords) be changed. Use new, strong passwords – do not revert back to old passwords.

Furthermore, every SSL certificate issued prior to patching should be re-issued as well – not just SSL certificates deployed on servers which had the vulnerability – but EVERY certificate, because the CLIENT requesting access could have had the flaw.

Getting your SSL certificates re-issued generally means creating a new Certificate Request + Private Key – contact your SSL vendor for instructions on how to do this – and be aware, that some vendors will charge for certificate re-issues.

Server admins and IT consultants need to take this flaw seriously – patching your flaw and forgetting about it are no guarantee of safety – change certificates and username+password – and change them all NOW.